Computer system that tolerates transient errors and method for management in a system of this type

ABSTRACT

The present invention concerns a software system that tolerates transient errors made up by a processing unit, including:  
     at least two processing units ( 50, 51 ) with each one including:  
     a microprocessor ( 54, 57 ),  
     a memory ( 53, 56 ) protected by a device generating and controlling a code for the detection and correction of errors,  
     a device ( 55, 58 ) for monitoring memory accesses,  
     A centralised control device ( 52 ) for the processing units and for inputs/outputs, including:  
     macro-synchronisation means,  
     data comparison/vote means,  
     correction demand means,  
     decision-making means,  
     means allowing the inputs/outputs to be made.  
     Some links ( 60, 61 ) respectively linking each processing unit to the device ( 52 ) for controlling the processing units and the inputs/outputs.

TECHNICAL FIELD

[0001] The present invention concerns a computer system tolerating transient errors and a control procedure in such a system.

[0002] The field for the invention is that of computer architectures subject to hostile environments for electronic components (radiation, electromagnetic interference) liable to cause transient errors, for example, in the fields:

[0003] space, nuclear and aeronautical industries, where the environment is made up by, amongst others, heavy ions.

[0004] car industry, subject to a severe electromagnetic environment.

PREVIOUS STATE OF THE ART

[0005] In the remainder of the description, the example of the space domain is used, which is highly representative of the transient errors generated randomly in electronic components.

[0006] The designers of computer architectures for satellites are faced with the problem of the different types of radiation that exist in space. One of the effects of these radiations is called “upset” or “Single Event Upset”, corresponding to one or several temporary changes of states for bits in electronic components such as memories. The errors caused by the single events may lead to the creation of faulty data (e.g., bad command from a satellite actuator) or a serious disturbance of the sequencing in the software (i.e., microprocessor crash).

[0007] Till now, the solution for errors of the single event kind lay in the use of technologies for integrated circuits with low sensitivity to this phenomenon (called “radiation resistant”), even insensitive (called “radiation hardened”). Such technologies are not used by the micro-electronics industry and consequently they have been developed specifically for military and space applications.

[0008] The overall cost associated with the existence of such micro-electronic technologies and of the development of components for the latter (development, maintenance, ongoing evolution in performance levels), and then the sale cost of these components is very high (the development of a new micro-electronic throat may amount to almost 1 Billion Francs; the cost of purchasing a radiation-resistant or hardened microprocessor amounts to tens of thousands of Francs, whilst its commercial version is several thousand Francs; the hardened/commercial ratio may be 100/1 or more).

[0009] The American Ministry for Defence has put a stop to the use of military electronic components for its applications, and has accelerated the process for purchase by military activities of commercial specifications/standards/components.

[0010] The share of the military components market, called “high fidelity”, has dropped sharply, from 80% on the 1960s to less than 1% in 1995 (heavy increase in the use of electronic components by industry, reduction in military markets); to the point that these components could soon be forced to disappear (some large military components manufacturers have pulled out of this market which is becoming less and less buoyant).

[0011] The possibility of using commercial components in space applications is a problem that is faced by any newly created project. The use of this type of components in the space industry is expected to provide the following advantages:

[0012] Solution of the problem of the drop recorded in the supply of “high fidelity” components, as a result of the withdrawal from this market by the major suppliers,

[0013] Reduction in the costs: the “high fidelity components” set is not negligible within the total cost for developing any equipment, and becomes the dominant factor in its recurrent cost. The weight of the components is however high variable depending on the target taken into account (platform, live load, equipment, level of recurrence, etc . . . ).

[0014] Use of functions/components with better performance, allowing the volume of electronics to be cut (optimisation of the mass/consumption/reliability) and/or increasing the functionality.

[0015] Cut in the duration for developing projects to offer more reactive access to space, with the supply time for “high fidelity” components currently being one or two years.

[0016] Nonetheless, one major problem facing the computer architectures designer is the sensitivity of these components to radiations, and in particular heavy ions. This matter, which used to be dealt with on the “component” level (resistant or hardened technologies), must now be resolved on the “architecture” and “system” level.

[0017] Satellites, and therefore their electronics on board, are subject to an environment with radiation, made up by different particles (electrons, heavy ions, protons), which are unknown by the systems used on the ground because these particles are filtered out by the atmosphere.

[0018] The source of these particles may be classified into four components, which may be linked to one another:

[0019] Cosmic radiation of a partly extra-galactic and partly galactic origin, made up by extremely powerful ions,

[0020] the radiation belts around the earth made up by trapped electrons and protons produced as a result of the interactions between the earth's atmosphere and solar particles,

[0021] the solar eruptions which send out protons or heavy ions,

[0022] the solar wind produced by the evaporation of the crown plasma, allowing low energy protons and ions to escape from the sun's gravitational pull.

[0023] These energy particles, when crashing into and passing through an electronic component, transfer part of their energy to it, which will disturb the proper working of the latter. In the present description, the single event upsets are dealt with which are created by heavy ions and protons.

[0024] These single event upsets correspond to the generation of bit errors in the cells which memorise the binary values, i.e., the memory cells, the records and the basic trigger circuits: a value ‘0’ memorised by a memory cell will be transformed into a value ‘1’ or viceversa. As a general rule, a single bit is modified by one heavy ion. These events are not destructive and a new data may be written subsequently, which is memorised without any error (apart from the appearance of another single event in the same cell). The errors caused by these phenomena are therefore transient.

[0025] In order to be able to use commercial components in the space industry on a large scale, a first possible solution is to select some commercial components using a systematic test under radiation, because some may be naturally insensitive to radiations (or at least to some of their effects). Such a solution, not only very costly in terms of the selection, is only a stopgap, because obligatorily it does not allow the major industry standards to be used if the latter prove to be sensitive to radiations, which is however desirable. A second solution is to find a method allowing the phenomena caused by these radiations to be tolerated, in particular the transient errors, that is to say, define architectures allowing the errors to be detected, then correct them. The act of taking into account the transient errors is then transferred from the “component” level to the “architecture” and “system” levels. This solution is preferred from the invention because it is economically more profitable and allows the restraints on the choices of the components to be reduced.

[0026] The field of tolerance to breakdowns and faults has been the subject of numerous research articles and certain mechanisms are widely used in ground-based systems, for example, in order to tolerate the breakdown of a component (e.g., secure systems).

[0027] Numerous mechanisms for the detection, isolation and recovery of faults are well known to the expert. Some mechanisms simply allow errors to be detected, others to detect them and even correct them. Furthermore, these mechanisms have been adapted for processing either temporary errors, or complete breakdowns, or both:

[0028] Prevention of faults: systematic refreshing of static data before their effective use (e.g., configuration records); autotests outside of nominal functioning (“off-line”) allowing a component failure to be detected before the latter is used.

[0029] Detection codes or detectors/correctors for errors which are applied to memories, communications and possibly to the logic (basically in the building of specific integrated circuits (ASIC) or user-programmable logic circuits (FPGA) called “with integrated control”. Error detection and correction (EDAC) devices are systematically used in space on the memory plans. A scan function (systematic rereading of the whole memory plan) is associated to these devices and is executed as a background task so as to prevent the accumulation of dormant errors which, in the long term, could corrupt the detection/correction capacities of the code.

[0030] Duplication and comparison, or triplication and majority vote, known in English as NMR (“N Modular Redundancy”) or the case specific TMR (“Triple Modular Redundancy”): these mechanisms allow fail safe architectures to be obtained which do not produce a bad command but which stop at the first fault (duplex), or architectures that remain operational at the time of a breakdown (“fail operational”) which have the capacity to mask a single error in real time and to carry on whilst remaining secure (triplex). This kind of architecture has been used in the studies on secure functioning calculators for the European space capsules, as described in the document referenced [4] at the end of the description. Master/checker architectures are also to be found in this class in which only the microprocessors are duplicated, with the data produced by the “master” being verified by the “checker”. The ERC-32 microprocessor from the company TEMIC/THS carries this mechanism, as described in the document referenced [5].

[0031] Multiple programming (“N-version programming”) associated with NMR architectures, which also allows software design errors to be detected because each calculator has a software version which has been specifically developed based on a common specification.

[0032] Temporary redundancy: it involves either executing twice and comparing, or executing once, loading a command record then rereading it in order to compare it so as to be able to validate it, one such “arm and fire” mechanism is used in the space industry for highly critical commands (for example, triggering pyrotechnic elements).

[0033] Execution time control: “watch timers” are used in all space calculators (a programme must be executed in a limited time). Furthermore, finer controls for the execution time may be added to the software (control of the duration for a task, maximum duration authorised for obtaining a response from a communications element, etc . . . ). The resetting of the watch may be subject to a specific sequencing of keys (used in the car industry).

[0034] Flow control check (e.g., control of the sequencing for a microprocessor): watchs allow an unrefined control (detection of a hard crash). A refined control of the instruction flow is possible with a more or less complex watch process. Signature analysis control is particularly effective and not very demanding in terms of electronics.

[0035] Addressing validation control for a microprocessor based on access rights by pages/segments.

[0036] Plausibility control: this principle is used in satellite bearing and orbit control systems in which the data from several types of sensors are compared to detect possible anomalies, either a piece of data with respect to an estimated reference thanks to a prediction filter based on previous readings, or a piece of data with respect to a predefined membership range. The so-called “Algorithm Based Fault Tolerance” methods represent a subclass of the plausibility controls, with the verification being based on the execution of a second algorithm (for example, the inverse algorithm which allows the initial data to be found again by starting off from the results obtained if the latter are error-free).

[0037] Structural or semantic data control, requiring relatively complex data structures.

[0038] Complementary concepts of error overlapping, for the mechanisms that do not allow faults to be corrected, mainly the restart points: regular saving of contexts and restart based on the last context saved. The development of the COPRA calculator (1980), as described in the documents referenced [1] to [3] is based on this principle.

[0039] Reinsertion of the faulty resource by transfusion of a healthy context in the faulty calculator, in order to find the initial detection/correction capacity again for certain architectures. A reinsertion of the faulty strings in a calculator may be performed by the operator during the non-critical flight phases.

[0040] The “master/checker” type architecture consists of duplicating only the microprocessor, synchronising both microprocessors instruction by instruction and systematically comparing their buses at each memory access (instructions and data). Certain microprocessors integrate the synchronisation mechanism directly on the chip as well as the bus comparators: for example, the IBM RH6000, Intel i960, Intel Pentium, TEMIC/MHS ERC-32 microprocessors, as described in the referenced document [5].

[0041] Thus the synoptic illustrated in FIG. 1 includes:

[0042] a master 1 microprocessor including:

[0043] a microprocessor core CM,

[0044] a clock generator GH,

[0045] a clock synchroniser SH,

[0046] a configuration record RC,

[0047] a bus comparator CMP,

[0048] some single or two directional insulators,

[0049] a checker 2 microprocessor including the same elements:

[0050] a microprocessor core CM,

[0051] a clock generator GH,

[0052] a clock synchroniser SH,

[0053] a configuration record RC,

[0054] a bus comparator CMP,

[0055] some single or two directional insulators,

[0056] a memory 3.

[0057] The signals C, A and D are respectively internal buses for control, address and data.

[0058] The clocks H and Hi are, respectively, and for example, at frequencies 10 MHz and 100 MHz.

[0059] On FIG. 1 the shaded elements are specific to the “master/checker” architecture, the barred signals are inactive or inhibited signals.

[0060] The microprocessor integrates the following elements that are specific to the “master/checker” architecture:

[0061] a RC record which allows one of the two microprocessors to be configured as the “master” and the other one as the “Checker”.

[0062] a synchronisation of the Hi internal clocks in both microprocessors,

[0063] some CMP bus comparators,

[0064] a logic allowing the bus insulations to be positioned in input or in output depending on the type of access in reading or writing, and also depending on the configuration as “master” or as “checker” for the microprocessor.

[0065] As shown on FIGS. 2A and 2B which represent, respectively, the writing phase and the reading phase for the memory, the functioning is the following: the two microprocessors 1 and 2 read and execute the same instructions at the same time. At the time of each access in writing in the memory, both microprocessor cores CM generate an address and a data. The bus insulations in master microprocessor 1 are facing the output, whilst those for the checker microprocessor 2 are facing the input and the bus comparators from the latter compare bit by bit the readings supplied by the two microprocessor cores MC. In the event of an anomaly, the checker microprocessor 2 generates an error signal. At the time of each access for reading in the memory, the address supplied by the master microprocessor 1 is compared by the checker microprocessor 2 with the one calculated by the latter, in the event of agreement, both microprocessor 1 and 2 read the same data.

[0066] The difficulty of building this type of architecture with microprocessors which are not designed for, and which do not therefore integrate the mechanisms described above, lies in the time shifts between the internal and external clocks. In fact, the user provides the microprocessor with a clock at a relatively low frequency (in tens of MHZ), which is multiplied internally thanks to a phase locking loop, so as to obtain higher frequencies (a few hundred MHz). Two microprocessors powered by the same clock therefore function at the same frequency but have a time shift with respect to one another. The size of this time shift is random and is determined at power-up. The direct comparison of the buses is thus made impossible.

[0067] In the “master/checker” architecture, the memory is not duplicated. In the COPRA architecture, the memory is duplicated only in order to be tolerant to component failures, but the two central units use the same memory bank.

[0068] The aim of the invention process is to process the transient errors in computer architectures, for example, for satellites, with a very high rate of coverage so as to allow the use of commercial components in missions having very high restrictions on availability, and this despite their sensitivity to single event upsets induced by radiation.

DESCRIPTION OF THE INVENTION

[0069] The present invention puts forward a computer system tolerating transient errors, made up by a processing unit, characterised by the fact that it includes:

[0070] at least two processing units, with each one including:

[0071] one microprocessor

[0072] a memory protected by a device generating and controlling an error detection and correction code,

[0073] a watch device for memory access, including:

[0074] means for segmenting the memory and for verifying the rights for accessing each segment,

[0075] means for the specific protection of the memory segments allocated to saving the recovery context,

[0076] means for generating a correction request signal to the control device for the processing units and input/output.

[0077] a centralised control device for the processing units and the input/output, including:

[0078] means for the macro-synchronisation of the processing units.

[0079] means for comparing/voting the data generated by the processing units,

[0080] means (signal) for requesting a correction sent out from the memory access watch devices,

[0081] means for decision-making so as to initialise a correction phase in the event of an error and the means (signal) allowing this request to be transmitted simultaneously to all the processing units,

[0082] means allowing the input/output to be performed,

[0083] links for linking, respectively, each processing unit to the control device for the processing units and the input/output.

[0084] The software tasks benefit favourably from a particularly secure, specific protection thanks to the memory access watch device, which includes the means allowing:

[0085] the memory zones for each task to be differentiated,

[0086] the accesses to the memory involved in the current task to be authorised,

[0087] the accesses to the memory zones involved in other tasks to be forbidden.

[0088] The memorisation of the prior context of the software tasks benefits favourably from a particularly secure, specific protection thanks to the memory access watch device, which includes the means allowing:

[0089] this context to be memorised in a shared and centralised RAM (“Random Access Memory”) type memory in each processing unit without needing a specific storage device.

[0090] to differentiate the memory zones involved in saving the context for each task,

[0091] to control each zone being used to memorise this context in a double “Old” and “New” bank,

[0092] to make the double “Old” and “New” banks work in tandem,

[0093] to swing the double banks by simply inverting and “Old” and “New” index set.

[0094] To authorise the “Old” zones in reading whilst forbidding them in writing.

[0095] This device may be used in an onboard electronic system and/or in the space field.

[0096] The present invention also puts forward a procedure to make a computer system tolerant to transient faults, made up by a processing unit, characterised by the fact that it allows:

[0097] identical software programs to be executed simultaneously on at least two processing units, in an independent and asynchronous manner, and complying with the following functioning:

[0098] the transient errors involving the memory of the processing units are detected and corrected thanks to the use of a detection and correction code stored in the memory associated to a software scanning task,

[0099] the proper functioning of the microprocessor for the processing units is checked thanks to a segmentation of the memory associated with a memory access watch which controls that the microprocessor properly provides access rights to the current segment of the memory,

[0100] the memory segments allocated to saving the recovery context are very secure thanks to a specific memory access watch, so as to ensure that a faulty microprocessor cannot generate an error in these critical zones,

[0101] a correction order is sent to the control function for the processing units and the input/output in the event of a violation of the access rights.

[0102] to centralise the following operations in the control function for the processing units and the input/output.

[0103] macro-synchronisation of the different simultaneous executions of the software,

[0104] comparison/vote of all the data generated by the different executions of the software,

[0105] reception of correction orders sent out from the memory access watch following the detection of an error,

[0106] when an error is detected whatever its source may be, the making of a decision so as to initialise a correction phase and the transmission of this order simultaneously to the different executions of the software,

[0107] performance of the inputs/outputs upon demand from the software programs,

[0108] to act as the interface between the software programs that are being executed simultaneously and the control function for the processing units and the input/output.

[0109] Favourably, there is an error confinement zone between software tasks, that is to say that a faulty microprocessor may only disturb the variables for the current task but not those from the other asks thanks to the memory segments control.

[0110] Favourably, in the event of detecting an error, a recovery is possible, even if there are only two processing units, thanks to the vote then the memorisation of the preceding context of the software tasks, and thanks to its specific protection thus allowing to guarantee that it is safe, since the said protection is secure because, even if it is memorised in a shared and centralised memory in each processing unit, it is memorised there in the zones controlled by the memory access watch device in memory zones specific to each task in a double “Old” and “New” bank working in “flip-flop”, with the “flip-flop” for these two double banks being carried out by simply inverting an “Old” and “New” index set so that the current context thus becomes the preceding context, since the “Old” zones are authorised in reading to be used for input data in the tasks but forbidden in writing and so protected even in the event of the malfunction of the microprocessors.

[0111] Favourably, the error recovery, based on a restoration of the preceding context, is performed thanks to the fact that the index stating the preceding context judged to be safe, that is to say error-free, is not changed, since it systematically undergoes a “flip-flop” at the end of the period corresponding to the detection/recovery granularity when no error is detected; so the restoration is limited to a “no flip-flip” of the index stating the current/preceding context which is inherent in putting it into the old mode and therefore does not require any particular action.

[0112] Favourably, the error detection/recovery granularity is the control/command cycle for each one of the software tasks being executed on the processing units, and in which a recovery can only be performed on the faulty software task without the execution of the other tasks being affected by it.

[0113] Favourably, an error detection involves putting the microprocessor into the old mode, that is to say the prohibition of the execution in the period corresponding to the detection/recovery granularity in which the error has been detected, thus causing a “hole” in a period in the usual execution cycle.

[0114] Favourably, the comparison/vote of the context may be performed optionally in two ways:

[0115] either, the application software explicitly demands a grouped comparison/vote of the context data so as to save them only if they are judged to be healthy, that is to say, error-free, with this demand being made systematically at the end of the period corresponding to the detection/recovery granularity;

[0116] or, at the time of their calculation, the hardware memory access watch device for each processing unit detects any attempt at writing in the context zones and systematically subjects it to a comparison/vote to check its veracity.

[0117] In this procedure three levels of error confinement zones may be defined: spatial, temporal and software zones.

[0118] This procedure is regardless of the type of microprocessor chosen (a general use microprocessor, a signal processing microprocessor, a microprocessor developed specifically, etc . . . ) and the reference chosen (make, family, reference, etc . . . ) and it may be used with all commercially available microprocessors.

[0119] This procedure may be used in an onboard electronic system and/or in the space industry.

[0120] The minimisation of the developments specific to the procedure from the invention as well as the very high rate of error coverage are two attractive points for this procedure. In the hypothesis which maximises the tangible commissioning, these developments are basically:

[0121] For the software:

[0122] possible regrouping of the commands at the end of tasks (with the latter being usual in duplex architectures),

[0123] possible triggering of the approval for the context data at the end of tasks,

[0124] control of keys for the memory access watch device,

[0125] saving of the context data for the correction,

[0126] slight update of the existing software programs depending on the characteristics described above,

[0127] For the hardware:

[0128] development of memory access watch functions and control of the processors and input/output.

[0129] Furthermore, the following elements are available:

[0130] the use of commercial software libraries is possible without any restriction,

[0131] the memory access watch functions and control of the processors and input/output are generic and reusable from one project to another, besides the microprocessor interface for the memory access watch device which must be adapted in the event of changing the microprocessor.

[0132] To sum up, the advantages of the procedure from the invention are the following:

[0133] limited and generic hardware developments hence reusable from one project to another,

[0134] very little software development,

[0135] low level of calculation power used by fail safe system,

[0136] minimisation of the recurrent costs with respect to other fail safe architectures thanks to a limited structural duplication,

[0137] correction mode not involving any microprocessor load, therefore no disturbance to the real time functioning of the application (that might, for example, cause difficulties for tuning),

[0138] three levels of error confinement zones may be defined: spatial, temporal and software zones.

[0139] inbuilt detection of errors in the real time program, allowing a commercial product to be used without any extra cost for the detection,

[0140] very high error coverage rate.

BRIEF DESCRIPTION OF THE PLANS

[0141]FIGS. 1 and 2 show, respectively, the synoptic and the functioning of a “master/checker” architecture.

[0142]FIG. 3 shows the synoptic for a reference hardware architecture.

[0143]FIG. 4 shows the time chart for a reference software architecture.

[0144]FIG. 5 shows the sequencing for the reference architecture.

[0145]FIG. 6 shows the architecture for the system from the invention.

[0146]FIG. 7 shows the error confinement zone on the spatial level of the system from the invention.

DETAILED DESCRIPTION OF THE EMBODIMENTS

[0147] In a certain number of space missions, a very high level of calculator availability is required. This is particularly true in the field of telecommunications satellites in which the penalties for a lack of availability are excessively high: a few interruptions in transmission during peak call hours may cost the satellite operator in penalties the equivalent of the channel lease for one year.

[0148] Furthermore, the rate of single event upsets in a calculator fully built with commercial components of course depends on hypotheses such as the number of memory cells (registers, etc . . . ) and the value taken into account for the sensitivity of a unit cell. The frequency of the single event upsets is very much lower than the frequency for the calculator' real time cycle, with this cycle corresponding to the error detection/correction granularity chosen for the invention process and may be from one to a few events per month.

[0149] The maximum hypotheses (i.e., the worst case scenarios) selected for the definition of a fail safe architecture for transient errors according to the invention are the following:

[0150] All the components in the reference architecture are commercial components.

[0151] These commercial components are not characterised by the capacity for single event upsets as the prerequisite for their use: therefore they are all deemed to be sensitive.

[0152] As the basis for the description of the invention process, the standard and generic reference architecture of a calculator used in space is considered, shown on FIG. 3.

[0153] The onboard control unit 10, illustrated on this FIG. 3, includes:

[0154] one central unit 11,

[0155] one mass memory 12,

[0156] interfaces for power 13, live load 15, pyrotechnics 16, thermal 17, bearing and orbit control 18, linked by a data bus 19,

[0157] a remote control and remote measurement interface 14

[0158] electronics for monitoring and reconfiguration 20,

[0159] continuous-continuous converters 21 delivering switched AC and permanent AP power supplies.

[0160] The power interface 13 is linked to a solar generator 25 and to a battery 26.

[0161] The remote control and remote measurement interface 14 is linked to a transmitter/receiver, duplexer 27 linked to the aerials 28 and 29.

[0162] The live load 31 is linked to the central unit 11 through an avionic bus 32, to the mass memory 12 as well as to the remote control and remote measurement interface 14, through a high flow serial link 33, and to the live load interface 15.

[0163] The pyrotechnics interface 16 is linked to some deployable systems.

[0164] The thermal interface 17 is linked to some heaters, thermistors 36.

[0165] The bearing and orbit control system 18 is linked to some sensors C1, C2, . . . Cn, some actuators A1, A2, . . . Am, and to a pressure sensor for the tanks 37.

[0166] Such an architecture is therefore made up by different processing modules (central unit module) or input/output (acquisition modules, command modules). The input/output modules (or acquisitions/commands) include low level electronics (analogue/digital or digital/analogue converter, digital or analogue path multiplexers, relays, etc . . . ).

[0167] These modules may indistinctly be cards linked by a motherboard bus or complete boxes linked by an avionic bus. In both cases, the interface to the bus may be made up by a master bus coupler (BC) on the Central Unit module, and by leased bus couplers on the other modules.

[0168] The reference software architecture, as illustrated in FIG. 4, is made up by processing tasks (for example, bearing and orbit control system task, real time clock task, onboard control task, etc . . . ), with each task generating results which must come from the calculator (commands or codes), with these results being generated (i.e., once they leave the calculator) as soon as they are calculated. The acquisitions (or Acq) are grouped together at the start of the real time cycle by way of time coherence (bearing and orbit control system, for example).

[0169] On FIG. 4, the tasks A, B and C are shown at the same frequency for reasons of clarity for the description.

[0170] The activity of these tasks is rated by a real time cycle triggered by a real time IT-TR cycle switch. The cycle allows certain tasks to be started up in a cyclic manner, which work either at the frequency of the real time cycle or at a sub-frequency. Other tasks are asynchronous, and initialised on events.

[0171] A drawing showing the reference hardware and software architectures is provided in FIG. 5. The following are shown on this Figure: the central unit 40; the acquisition electronics 41 linked to the sensors 42, and the command electronics 43 linked to the actuators 44, with these two electronic devices 41 and 43, as well as the central unit being linked to a data bus 45.

[0172] The sequencing for the three main phases Ph1, Ph2 and Ph3, which are the data acquisition, their processing and the generation of commands put into play all three different parts of the electronics 40, 41, 43, with phases Ph2 and Ph3 being interlinked.

[0173] The invention process is meant to be generic and may be used in all kinds of calculators subject to transient error restrictions, whatever the source of these errors may be (cosmic radiation, electromagnetic pulses, etc . . . ).

[0174] Consequently, its description is supported by a standard reference hardware and software architecture which does not involve any particular application. The hardware side of this architecture is only based on functional blocks apart from the hardware construction (apart from the choice of components, apart from the choices of the types of integration, etc . . . ) and therefore it does not take into account the specific nature of particular components and their possible capacities in the field of error detection/correction. The procedure from the invention is therefore self-sufficient. Nonetheless, the use of possible fail safe mechanisms integrated in the components selected for a given application can only improve the error coverage rate with respect to the procedure from the invention alone.

[0175] A test of the potential error signatures in the reference architecture when subjected to single event upsets has been carried out. It has allowed the errors to be classified into two main groups:

[0176] the data errors,

[0177] the sequencing errors, which may also be split into two subgroups:

[0178] “soft crash”: erroneous branch, but the microprocessor comes back into phase with the instructions and carries out a more or less erratic sequencing of the instructions:

[0179] “hard crash”: the microprocessor is no longer operational: the microprocessor does not remain in phase with the instructions, the microprocessor loads the instructions record with data, the stack pointer is disturbed, there is a blockage in the sequencing of the instructions, waiting for an impossible event, infinite loop, etc . . .

[0180] These two groups are themselves split into different subgroups, the most important of which involves the address errors.

[0181] The distinction between a “soft” and a “hard” crash is important: either a hardware mechanism external to the microprocessor is generally required for detecting “hard” crashes (e.g., a watch), or a software mechanism may be sufficient to detect a “hard” crash since, in the latter case, the microprocessor continues to execute some code, even if erratically.

[0182] Furthermore, microprocessor crashes represent one kind of critical errors, because a “mad microprocessor” is capable of actions which might have some catastrophic consequences for a mission; therefore it is important to endeavour to detect them, within a short time, and/or make some error confinement zones so as to minimise the probability of bad commands due to an undetected error.

[0183] A mechanism, or a set of mechanisms, which would directly detect any event belonging to both groups of errors above, would have a complete capacity for detection. If a direct detection of these two groups is not exhaustive enough, perhaps it might be interesting to use some mechanism specifically adapted to one or several subgroups, in particular the address errors, so as to increase the overall rate of coverage for the solution chosen.

[0184] Selection of the Detection/Selection Granularity

[0185] Overall, the granularity proposed in the invention for the detection/correction us the calculator's basic real time cycle, for example, the bearing and orbit control task in a satellite platform calculator.

[0186] More exactly, the granularity is the control/command cycle for each one of the software tasks being executed on the processing units cores, but the term “real time cycle” shall be kept for the sake of simplification.

[0187] In fact, in the invention process as in a complete “classic” structural duplex, the aim is to let the calculator work without monitoring and only to approve the data which must come out of the calculator (the commands) or which are used fro the correction/recovery of errors (the context).

[0188] The choice of the real time cycle for the granularity is highly advantageous:

[0189] At this frequency most of the sensors/actuators may be accessed for acquisition or command;

[0190] At the end of the real time cycle the “active” data are available in a relatively restricted number (no multiple intermediate data or local variables that are being used):

[0191] for the detection, the “context” type data which must be approved are thus limited;

[0192] for the correction, a simple and well located recovery context is available.

[0193] The search for a very fine granularity, in particular for the correction, quickly reveals the complexity induced by the definition of the data needed and sufficient for the recovery context and in addition some intermediate votes which make the overall functioning more complex.

[0194] More precisely, the detection/correction granularity for a given task is the frequency of this task itself, since the vote is performed at the end of the task. Consequently, if a task at 10 Hz and a task at 1 Hz are considered, the granularity will be 10 Hz for the former and 1 Hz for the latter. The reasoning is identical, but for reasons of clarity, as follows the notion of “granularity by real time cycle” is kept rather than “by task”.

[0195] Overall Description

[0196] Generally speaking, the “duplex” type of architecture (two identical physical strings in parallel executing the same software, with a comparison of the outputs) is particularly attractive because it allows all the errors to be detected without any exception, whatever their type may be (errors in data, addresses, sequencing, configuration, etc . . . : the drawback of such a solution lies in the weight of the structural redundancy: the mass, the volume, the consumption and also the recurrent cost of the calculator are all more than doubled, which is unacceptable for many applications.

[0197] Since the vast majority of the difficulties linked to error detection/correction are located in the microprocessor, a “master/checker” type architecture is highly attractive. However, in order to be able to use the microprocessors which do not directly include the mechanisms in the chip which authorise the micro-synchronisation of the master with the checker and the comparison of their buses, the search for another solution is required.

[0198] In order to benefit the efficiency of the duplex, whilst minimising the structural redundancy and, thus, get closer to the compactness of a “master/checker” type architecture, the procedure from the invention consists of duplicating only the microprocessor and its memory (here we talk about “processing unit core”) and macro-synchronising them; the data produced by each processing unit core (e.g., commands, context) are approved before their use by a component that is external to them.

[0199] A correction consists of, following a detection, inhibiting the real time cycle under way and reloading a healthy context to carry out a restart; with the restart in fact being the nominal execution of the following cycle based on the reloaded context: everything happens as if there was a “hole” in a real time cycle (it involves a “continuation”).

[0200] The invention process allows for a high error coverage rate with regards to the transient errors in the processing unit core, since these types of errors inevitably lead to a difference between the two processing unit cores.

[0201] The invention process also allows the permanent faults to be detected in either of the processing unit cores, but quite obviously without being able to correct them, so the latter have to be dealt with in the usual manner.

[0202] In any case, The invention process does not protect the actions upstream from the vote, that is to say the data transfers to the command electronics (i.e., the data bus), as well as the command electronics itself. Thus, the critical commands, which must be error-free, must be protected by classic mechanisms: data coding, error detection circuit, command electronics instrumentation, etc . . .

[0203] The implementation of the invention process calls for two specific components; a memory access watch device and a processor and input/output control device. By design, these are protected against single event upsets by classic mechanisms: triplication of the critical records, etc . . .

DETAILED DESCRIPTION

[0204] Main Parts

[0205]FIG. 6 shows the hardware architecture for the procedure from the invention.

[0206] The latter includes a first and a second processing unit core 50 and 51, which include the same elements, and a processor and input/output control device 52.

[0207] The first processing unit core includes:

[0208] a memory 53 protected by error detection and correction (EDAC) code.

[0209] a microprocessor 54,

[0210] a memory access watch device 55,

[0211] The second processing unit core includes:

[0212] a memory 56 protected by error detection and correction (EDAC) code.

[0213] a microprocessor 57,

[0214] a memory access watch device 58.

[0215] Each memory access watch device 55, 58 generates the (CS) chip select signals for the memory correspondence 53, 56.

[0216] The processor and input/output control device 52 is linked to each memory access watch device by a bus 60, 61. it is also linked to an input/output bus 62. It receives ERR#1 and ERR#2 signals from the memory access watch devices 55 and 58, and an AE (asynchronous events) signal from the outside. It delivers an IT (interruption)signal to the two microprocessors 54 and 57 and an ERR (error) signal to the two processing unit cores 50 and 51.

[0217] The inventions process is thus based around:

[0218] a structural duplication 50, 51 of the Processing Unit Core;

[0219] a component external 52 from the processing unit cores, mainly performing three functions:

[0220] the macro-synchronisation of the processing unit cores 50 and 51,

[0221] the vote of the data allowing error detection;

[0222] the input/output control,

[0223] some memory planes (53, 56) in the processing unit cores, protected against single event upsets by error detection/correction (EDAC) code.

[0224] a segmentation of the memory associated with a hardware memory access watch device (55, 58) controlling the access rights which, with the error detection/correction code allowing the recovery context to be saved in a secure manner in shared memory planes (53, 56) and to detect address errors.

[0225] a specific control of the restart context;

[0226] a correction in the event of errors:

[0227] three levels of error confinement zones.

[0228] A “majority vote” takes into account three inputs at least, and it is more appropriate to use the term “comparator” when there are only two inputs, as is the case for the procedure from the invention with two processing unit cores illustrated on FIG. 6. In the present description however the generic term “voter” is used, which is more spoken.

[0229] Structural Duplication

[0230] In the procedure from the invention, the structural duplication is limited to the processing unit core, that is to say the following elements:

[0231] the microprocessor (54, 57)

[0232] the memory (53, 56) for the microprocessor (read only and read-write memory) protected against single event upsets by error detection/correction (EDAC),

[0233] an external memory access hardware watch device (55, 58), integrating the decoding logic for the addresses and memory access watch,

[0234] unlike the “master/checker” architecture in which only the microprocessor is duplicated, and unlike the classic structural duplex in which the whole central unit board, and even the whole calculator, are duplicated.

[0235] This structural duplication of the processing unit cores allows a real time unmodified executable and identical application software programs to be used, which are executed simultaneously on the processing unit cores and shut down at the same point in the instruction flow (macro-synchronisation) to ask for an identical input/output (acquisition/command) or a vote for identical data (for example, context).

[0236] Synchronisation/Vote/Inputs-Outputs

[0237] The hardware device 52 that is external to the processing unit cores 50 and 51 for the control of the processors and inputs/outputs, includes the following functions:

[0238] macro-synchronisation of the processing unit cores,

[0239] vote,

[0240] initialisation of a correction following the detection of an error,

[0241] access to the processing unit core memories in the Direct Memory Access mode,

[0242] control of the inputs/outputs and interface between the processing unit buses 60 and 61 in each one of the two processing unit cores and an input/output bus 62,

[0243] Interruptions Controller (IT).

[0244] Each one of the processing unit cores 50 and 51 communicates with the processors and inputs/outputs control device 52 by means of the processing unit buses 60, 61. The inputs/outputs are controlled by the processors and inputs/outputs control device 52 through the input/output bus 62.

[0245] Macro-Synchronisation

[0246] Each one of the processing unit cores 50, 51 works independently from the other. As soon as one of the processing unit cores wishes to make an input/output, that is to say either to read an acquisition or to generate a command, the functioning is the following:

[0247] the said processing unit core sends a message to the processors and inputs/outputs control device 52 describing its demand by means of the pertinent processing unit bus 60 or 61 (the message includes an address for an acquisition or an/address data pair for a command),

[0248] the processors and inputs/outputs control device 52 then waits for a message on its other processing unit bus.

[0249] If the second processing unit bus is mute at the end of a given time period, an error is decided. If not, the processors and inputs/outputs control device compares the two messages, if they are completely identical (length and contents), then the processors and inputs/outputs control device 52 makes the transfer demanded by means of the input/output bus 62.

[0250] Once the transfer has been made, the data in the case of an acquisition is written directly in Direct Memory Access into the memory of each one of the processing unit cores by the processors and inputs/outputs control device, then the processors and inputs/outputs control device releases the processing unit cores.

[0251] Each one of the processing unit cores can then take up its processing independently again: the invention process therefore uses a macro-synchronisation limited to the vote times (inputs/outputs, context) unlike the “master/checker” architecture in which the microprocessors are micro-synchronised instruction by instruction.

[0252] The number of macro-synchronisations may be reduced by grouping together the generation of the commands, as well as the approval of the context data, at the end of the real time cycle unlike the structure of the reference software.

[0253] Vote

[0254] The vote performed by the processors and inputs/outputs control device 52 may be simple (a bit by bit vote type) or more complex (a vote type related to thresholds) following the start-up selected. In the second hypothesis, the threshold is a parameter transmitted to the voter by the processing unit cores at each input/output; the thresholds are themselves approved bit by bit before their use.

[0255] If the complex votes are in a restricted number, they may be entrusted to the application software so as to limit the complexity of the hardware voter (for example, exchange of complex data to be voted between processing unit cores through the Direct memory Access in the processors and inputs/outputs control device, then the vote by the processors and inputs/outputs control device of the result of the vote from each one of the processing unit cores).

[0256] Initialisation of a Correction

[0257] The elementary detection of errors is spread between the memory access watch devices 55 and 58 included in the processing unit cores 50 and 51 (control of the rights for memory access), and the processors and inputs/outputs control device 52: on the outside of the processing unit cores (vote).

[0258] On the other hand, the overall decision for considering that an error has just been detected is centralised in the processors and inputs/outputs control device 52: when a memory access watch device has detected an error, it reports it to the processors and inputs/outputs control device (ERR#1 or ERR#2) which then generates a single error signal ERR to the two processing unit cores so that a correction phase will be initialised by each one of them.

[0259] Direct Memory Access Controller

[0260] The processors and inputs/outputs control device 52 includes a direct memory access device for loading into the memory of the processing unit cores the data issued for acquisitions and optionally to access the context data to be voted. This direct memory access controller may also be used in the case of a processing unit bus and/or an input/output bus for block transfer.

[0261] Control of Inputs/Outputs

[0262] The processors and inputs/outputs control device 52 performs the interface between the processing unit buses 60, 61 in each one of the two processing unit cores 50, 51 and a single input/output bus 62, and controls the inputs/outputs on behalf of the processing unit cores when the latter supply an identical demand.

[0263] Controller for Interruptions

[0264] The processors and inputs/outputs control device 52 receives all the external asynchronous events AE and generates the IT interruptions simultaneously towards the two processing unit cores 50 and 51. The later are memorised in the processors and inputs/outputs control device until the release by the two processing unit cores. Each microprocessor can thus ensure that it does not involve a parasite interruption generated by a single event upset in its own internal interruption logic.

[0265] Protection for the Memory Planes

[0266] The memory planes are classically protected against single event upsets by a correction code (EDAC) and scanning task (rereading in background task for all the memory plane to detect and correct the dormant errors so as to prevent the accumulation of erroneous bits in the same word which might then no longer be detected and/or corrected by the code.

[0267] This feature is important for the invention process. In fact, it is essential to obtain a reliability level for the memorisation of the restart context data to make sure about the effectiveness of the correction.

[0268] The invention process therefore relies on a doubly protected memory plane:

[0269] on an intrinsically reliable memory plane with regards to the single event upsets thanks to the use of an error detection and correction (EDAC) device;

[0270] on a reliable memory plane with regards to incorrect writings following an error in address, instruction, a microprocessor crash, etc . . . , thanks to the use of an access rights watch device (memory access watch devices).

[0271] Memory Access Watch Device

[0272] Each memory access watch device 55 or 58 is a hardware device derived from the classic block memory protection units. The memory is partitioned into segments and this device allows us to check that the microprocessor seeking to access a segment indeed has the right for access.

[0273] The memory access watch device allows a large part of the address error to be detected. It allows, in particular, numerous cases of microprocessor crash to be detected rapidly, i.e., with a short delay. In fact, following a “soft” crash, a microprocessor may frequently leave the authorised addresses zone. Thus, the memory access watch device allows sequencing errors in the microprocessor to be detected very quickly, which represent a category of critical errors.

[0274] The memory access watch devices have certain specific characteristics:

[0275] the size of the segments is any and defined according to the application;

[0276] certain segments have a meaning and a functioning specific to the invention process, in particular those which are used to save the restart context;

[0277] the access authorisation is carried out by programming the keys memorised in the internal registers in the memory access watch device, the definition of these keys being specific to the invention process;

[0278] the definition of the keys is on an “application software” level and not on a “hardware” level;

[0279] the authorisation for access to a segment is granted according to a logical combination of all or part of the keys, with the logical combinations for each one of the segments being specific to the invention process;

[0280] The memory access watch device can trigger some specific mechanisms at the time of a reading or of a writing of a particular segment.

[0281] The memory access watch device can trigger some specific mechanisms at the time of a reading or of a writing of a particular segment.

[0282] a zone is affected by an application task for the software so as to dispose of a software confinement between tasks,

[0283] a memorisation zone for the contest is affected by a task so as to protect it specifically with an “Old”/“New” flip-flop functioning.

[0284] The list of the keys integrated in the memory access watch device is provided below:

[0285] key for prohibiting access in writing to the zone memorising the code so as to prevent a corruption of the latter. In the opposite case, it would be necessary to systematically approve the code and reload it each time that an error is detected, which would be particularly restrictive. This key allows the writing of the memory to be authorised only at the time of the initialisation of the calculator, when the code in read-only memory must be transferred to read-write memory.

[0286] key indicating what the current task is, and authorising the microprocessor to only access the memory zone containing the data for the task for the software being run. This key allows a fail safe proofing against errors in a task with respect to the others.

[0287] key indicating which ones are, amongst the sets of “Old”/“New” zones working in flip-flop, the “Old” zones and the “New” zones, taking into account that the “Old” zones are prohibited in writing.

[0288] Functioning of the Restart Context

[0289] The memory zones involved in saving the recovery or restart context are differentiated for each task in order to limit the error recovery to the single faulty task, that is to say the current task at the time of detecting an error; so a recovery may be performed only on the software task without the execution of the other tasks being affected.

[0290] The functioning of the restart context relates to four different phases: the memorisation, the vote, the saving and the restoration.

[0291] For a correction mode of the “recovery” type, the data constituting the restart mode must be specifically protected in such a way that the restart can definitely be performed from a healthy context.

[0292] To do so, the data are memorised in specific zones of the memories in the processing unit cores (53, 56), with each zone being controlled by the memory access watch device in a double “Old” and “New” bank working in flip-flop.

[0293] Several methods may be used to perform their approval.

[0294] At the end of the real time cycle, the “New” zones are approved in a grouped manner by the processors and inputs/outputs control device 52, upon demand from the application software, so as to save them only if they are deemed to be healthy. This method has the advantage of reducing the number of macro-synchronisations required for the vote of the context data.

[0295] Any attempt at writing in one of the context zones, as the real time cycle advances, is detected by the memory access watch device and systematically transmitted to the processors and inputs/outputs control device for vote. If the vote is correct, the data is effectively stored in memory in the processing unit cores by the memory access watch device.

[0296] At the end of the real time cycle, and after the vote for the first method, the current context zones are saved and flip-flopped by inverting the “Old” and “New” index: the current context has become the preceding context.

[0297] The “context restoration” function, activated at the time of an error correction, is performed thanks to the fact that the index indicating the preceding context deemed to be healthy has not changed, since it is flip-flopped in normal time when no error is detected; with this “non flip-flip” being inherent to the inhibition of the execution of the real time cycle in which the error is detected.

[0298] Recovery or Correction

[0299] Different, more or less complex correction modes may be implemented following the type of mission to be performed:

[0300] system reinitalisation, that is to say hot reinitialisation, cold reinitialisation or passing on a redundant calculator if there is one:

[0301] rear recovery,

[0302] front recovery, that is to say “pure” pursuit or pursuit based on a context saved.

[0303] The last solution is preferentially selected for complex control-command systems, a solution used in the said description to describe the procedure from the invention.

[0304] The correction is executed in accordance with the following sequencing:

[0305] when an error is detected, the current real time cycle (number N) is inhibited, no command is generated: the microprocessor passes over to the old mode (“standby”) awaiting the following real time cycle;

[0306] the following real time cycle N+1 is executed not as from the context N (which is not secure), but from the preceding context N−1 and from the acquisitions in the current cycle N+1.

[0307] In fact, the faulty real time cycle is not added. It is not a retry strictly speaking. It simply manages to inhibit the current real time cycle and restore the context from the preceding cycle. In the event of an error, the microprocessor does not generate the commands for the current real time cycle since it has gone into standby mode: everything happens as if there was a “hole” in a real time cycle.

[0308] The correction does not need any specific action: since the microprocessor has gone into standby mode after a detection, it cannot execute (or finish the execution) of the vote at the end of the current real time cycle. That naturally entails a non-swap of the “Old” and “New” contexts which is done at the end of the approval when the system state may be deemed to be healthy. The restoration or the reloading of the contexts following an error detection is therefore intrinsic to the functioning selected for the procedure from the invention.

[0309] At the time of a restart, the term “reloading of the context” is often used. Strictly speaking, to sum up, the procedure does not need any reloading, since the “Old” and “New” indexes of the context zones are not switched following an error detection: in fact, the restart consists “of not doing anything”, going into standby, with the rest of the nominal functioning occurring automatically.

[0310] Furthermore, the recovery or correction may be limited to the current task thanks to the confinement between tasks and the differentiation of the restart contexts for each task; in this case, only the faulty task is aborted and loses a real time cycle in the event of a recovery by pursuit, the execution of the other tasks is not affected by it at all.

[0311] A single restart attempt is made. If it does not work, it is, for example, because the error has managed to spread to the restart context which is therefore no longer healthy, or there is a permanent fault. A complete reinitialisation of the calculator, or transfer to an emergency redundant calculator, if there is one, is then necessary.

[0312] Confinement Zones

[0313] Three confinement zones are defined in the invention process.

[0314] The first zone corresponds to a spatial confinement. This major confinement zone for the errors 70 is made up by the acquisition electronics 41 and the central unit 40, as illustrated on FIG. 7. on this figure, the same references are used as those on FIG. 5. The acquisition electronics is protected by some classic mechanisms (for example, replication). Thus, is an error disturbs the acquisitions, or the processing (since the time allocated to the processing is by far the most important one because statistically it is in the processing phase that the most errors occur), this error cannot be generated towards the command electronics. The errors arising following a single event upset in the acquisition electronics or in the central unit cannot therefore cause bad commands for the satellite; they do not disturb the mission.

[0315] The second zone corresponds to a temporary confinement of the errors on the real time cycle level (the real time cycle which follows the appearance of an error is correct), since the correction is based on a real time cycle granularity.

[0316] The third zone corresponds to a software confinement of the errors on the software tasks level (no spread of errors from one task to another) thank to the memory access watch device.

[0317] Error Coverage Rate for the Process

[0318] The error coverage rate for a fail safe mechanism represents the percentage of errors that it is capable of processing with respect to all the errors liable to arise.

[0319] Furthermore, in the invention process, given that the spatial confinement zone is impervious to errors, there cannot be any erroneous command generated in the command electronics.

[0320] The error coverage rate, in the invention process, must be located in the range of the usual coverage rates for structural duplex, that is to say over 99%.

[0321] Variations

[0322] Some variations in the invention process are possible. Some have already been mentioned:

[0323] Regrouping of the generation of the commands, and of the vote of the context data, at the end of the real time cycle in order to cut down the number of macro-synchronisations.

[0324] Simple vote (bit by bit vote type) or more complex vote (vote type with respect to some thresholds).

[0325] Processing unit bus and/or input/output bus with block transfer or not.

[0326] Correction mode.

[0327] Inclusion of the software mechanisms of the invention process in the real time executable so as to maximise the correction rate.

[0328] Furthermore, it is possible to share out the following functions of the processors and inputs/outputs control device in the processing unit cores and to perform them in the software at the price of a reduction in the error coverage rate:

[0329] the macro-synchronisation,

[0330] the vote,

[0331] the inputs/outputs control.

[0332] The processors and inputs/outputs control device 52 for synchronisation/vote/inputs-outputs may also be removed and its functions spread out to the hardware and/or software in the processing unit cores.

[0333] Finally, it is possible to triplicate the processing unit core, possibly by simplifying or removing the memory access watch device, since the processors and inputs/outputs control device is connected to the three processing unit cores and performs a majority vote. The errors are masked in real time. A memory context must be transferred into the memory of the faulty processing unit core if the memory access watch device has been removed or if the error involves the real time executable. This transfer may be greatly reduced if the memory access watch device is kept along with the “segmentation by task” function.

REFERENCES

[0334] [1]“COPRA: a modular family of reconfigurable computers” by C. Méraud and P. Loret, (Proceedings of the IEEE national Aerospace and Electronics Conference, NAECON '78, May 16-18, 1978, Dayton, Ohio, USA:

[0335] [2] “Calculator with an automatically reconfigurable parallel organisation” by F. Browaeys, J-J. Chevreul and C. Méraud. (Second International Conference on Reliability and Maintainability, Sep. 21-23, 1980, Trégastel, France).

[0336] [3] “A line of ultra-reliable reconfigurable calculators used for onboard aerospace applications” by C. Méraud and F. Browaeys (AGARD Conference proceedings No. 272 “Advances in Guidance and Control Systems Using Digital techniques”, Guidance and Control Panel Symposium, May 8-11, 19788, Ottawa, Canada).

[0337] [4] “Fault-tolerant computer for the Automated Transfer vehicle”, by R. Roques, A. Corrégé and C. Boléat, (28^(th) Fault Tolerance Computing Symposium, Jun. 23-25, 1998, Munich, Germany).

[0338] [5] “Concurrent error-detection an modular fault-tolerance in a 32-bit processing core for embedded space flight applications”, by J. Gaisler. (24^(th) Fault Tolerance Computing Symposium, 1994). 

1. Computer system tolerating transient errors made up by a processing unit, characterised by the fact that it includes: at least two processing units (50, 51) with each one including: a microprocessor (54, 57), a memory (53, 56) protected by a device generating and controlling a code for the detection and correction of errors, a device (55, 58) for monitoring memory accesses, mainly including: means for segmentation of the memory and the verification of the access rights to each segment (53, 56), means for specific protection of the memory segments (53, 56) allocated to saving the recovery context, means for generating a correction demand signal to the device (52) for controlling the processing units and the inputs/outputs, a centralised control device (52) for the processing units and for inputs/outputs, including: macro-synchronisation means for the processing units (50, 51), comparison/vote means for the data generated by the processing units (50,51), correction demand means, decision-making means arising from the memory access watch devices (55, 58) means for decision-making so as to initialise a correction phase in the event of an error and means allowing the demand to be transmitted simultaneously to all the processing units (50, 51), means allowing the inputs/outputs to be made. some links (60, 61) respectively linking each processing unit to the processing units and inputs/outputs control device (52)
 2. System according to claim 1, in which the memory access watch device (55, 58) includes the means for allowing: memory zones for each task to be differentiated, the accesses to the memory zone affected by the current task to be authorised, the accesses to the memory zones involved in other tasks to be forbidden.
 3. System according to claim 1, in which the memory access watch device (55, 58) includes the means for allowing: this context to be memorised in a shared and centralised memory (53, 56) without needing any specific storage device. the memory zones involved in saving the context from each task to be differentiated, each zone used for memorising this context to be controlled in a double “Old” and “New” bank, to make the double “Old” and “New” banks work in flip-flop, the double banks to be flip-flopped by simply inverting a set of “Old” and “New” indexes, the “Old” zones to be authorised in reading whilst prohibiting them in writing.
 4. System according to any one of the preceding claims, which is used in an onboard electronic system and/or in the spatial field.
 5. Process to make a computer system tolerant to transient faults, made up by a processing unit, characterised by the fact that it allows: identical software applications to be run simultaneously on at least two processing units (50, 51) independently and asynchronously, and complying with the following functioning: the transient errors affecting the memory (53, 56) in the processing units (50, 51) are detected and corrected thanks to the use of a detection and correction code stored in the memory associated to a software scanning task, the proper functioning of the microprocessor (54, 57) of the processing units (50, 51) is verified thanks to a segmentation of the memory associated to monitoring of the memory accesses which ensures that the microprocessor really holds the access rights for the current segment of the memory (53, 56), the memory segments allocated to saving the recovery context are extremely secure thanks to specific monitoring of the memory accesses so as to ensure that a faulty microprocessor (54, 57) cannot generate any error in these critical zones, a correction demand is transmitted to the control function for the processing units and the inputs/outputs in the event of a violation of the access rights, the following operations to be centralised in the control function for the processing units and the inputs/outputs, macro-synchronisation of the different simultaneous executions of the software, comparison/vote of all the data generated by the different executions of the software, reception of the correction demands arising from the memory access watch functions following an error detection, when an error is detected, whatever its source may be, decision-making in order to initialise a correction phase and transmission of this demand simultaneously to the different executions of the software, performing the inputs/outputs upon demand from the software applications, the interface to be made between the software programs being executed simultaneously and the control function for the processing units and the inputs/outputs.
 6. Process according to claim 5, in which there is a confinement zone for errors between software tasks, in such a way that a faulty microprocessor (54, 57) can only disturb the variables of the current task but not those of the other tasks.
 7. Process according to claim 5, in which, in the event of error detection, a recovery is possible thanks to the vote then the memorisation of the preceding context of the software tasks, and thanks to it specific protection allowing to guarantee that it is healthy, with this context being memorised in a shared and centralised memory (53,56) in each processing unit (50, 51), in some memory zones specific to each task in a double “Old” and “New” bank working in flip-flop, the flip-flop for these double banks is performed by simply inverting an “Old” and “New” index set so that the current context will thus become the preceding context, with the “Old” zones being authorised in reading to be used as input data for the tasks but forbidden in writing and so protected even in the event of a malfunction of the microprocessors (54, 57).
 8. Process according to claim 7, in which the error recovery based on a restoration of the preceding context is performed thanks to the fact that the index stating the preceding context deemed to be healthy is not changed, when it is systematically flip-flopped at the end of the period corresponding to the detection/recovery granularity when no error is detected.
 9. Process according to claim 5, in which the error detection/recovery granularity is the control/command cycle for each one of the software tasks being executed on the processing units (50, 51) and in which a recovery may be only be performed on the faulty software task without the execution of the other tasks being affected by it.
 10. Process according to claim 5, in which an error detection entails the microprocessor going into standby mode, thereby producing a “hole” in a period in the usual execution cycle.
 11. Process according to claim 5, in which the comparison/vote of the context may be performed optionally in two ways: either, the application software explicitly demands a grouped comparison/vote of the context data so as to save them only if they are deemed to be healthy, with this demand being made systematically at the end of the period corresponding to the detection/recovery granularity; or, as their calculation progresses, the hardware device for monitoring memory accesses (55, 58) in each processing unit (50, 51) detects any attempt at writing in the context zones and systematically subjects it to a comparison/vote to verify its veracity.
 12. Process according to claim 5, in which three error confinement zone levels are defined: spatial, temporal and software levels.
 13. Process according to one of claims 5 to 12 which is independent from the choice of the microprocessor and which may be used with all commercial microprocessors.
 14. Process according to any one of claims 5 to 12, which is used in an onboard electronic system and/or in the space field. 